breakingduck
breakingduck

Reputation: 85

Python requests SSL authentication issue (and curl)

I'm trying to connect via https using requests. I have tried generating my own certificates suggested online and passing my own ca bundle w/o success. The error I get is:

SSLError: HTTPSConnectionPool(host='app.company.com', port=443): Max retries exceeded with url: /v1/auth/login (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')],)",),))

I'm using Python 3.6.3 :: Anaconda, Inc.

I'm of the opinion that generating my own certs is the wrong path as I discovered that curl had the same issue. BUT, I got one version of curl to work but not another and the difference is - The working version is this - which is the one packaged by iOS (/usr/bin/curl):

curl 7.54.0 (x86_64-apple-darwin16.0) libcurl/7.54.0 SecureTransport zlib/1.2.8 Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp smb smbs smtp smtps telnet tftp Features: AsynchDNS IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz UnixSockets

The non-working version is this (from anaconda):

curl 7.55.1 (x86_64-apple-darwin13.4.0) libcurl/7.55.1 OpenSSL/1.0.2l zlib/1.2.11 libssh2/1.8.0 Release-Date: 2017-08-14 Protocols: dict file ftp ftps gopher http https imap imaps pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp Features: AsynchDNS IPv6 Largefile NTLM NTLM_WB SSL libz TLS-SRP UnixSockets HTTPS-proxy

So the key issue seems to be SecureTransport vs. OpenSSL. Granted, I don't know why but is there a way I can get python requests to use SecureTransport? I want to understand why but for now I'll settle with it working!!

(And a side question is why the different of SSL libraries for different versions of curl. Is it possible to make curl 7.55.1 use SecureTransport)

Thanks in advance.

Upvotes: 3

Views: 4408

Answers (1)

breakingduck
breakingduck

Reputation: 85

I had the same problem described in this post. SSL error with Python requests despite up-to-date dependencies

The fix is just to concatenate all the certs into one file and stick it in the Nginx cert directory.

Upvotes: 1

Related Questions